Legal notice & data privacy

Preamble This Privacy Policy is intended to inform you about the types of personal data (hereinafter also referred to as “Data”) we process, the purposes for which we process it, and the scope of such processing. This Privacy Policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as the “Online Offer”). The terms used are not gender-specific. As of March 19, 2026Table of Contents

PreambleData ControllerOverview of Processing ActivitiesSecurity MeasuresTransfer of Personal DataGeneral Information on Data Storage and DeletionRights of Data SubjectsBusiness ServicesUse of CookiesRegistration, Login, and User AccountBlogs and Publication MediaNewsletters and Electronic NotificationsPromotional Communications via Email, Mail, fax, or telephone Changes and updates Definitions of Terms

Data ControllerSchildknecht GmbH Markt 16 - 18 60311 Frankfurt am Main Authorized representatives: Hans-Peter Zarges Email address: hpz@schildknecht.group Phone: 01717503831

Overview of Data Processing Activities The following overview summarizes the types of data processed, the purposes of such processing, and identifies the data subjects. Types of Data Processed Master data.Payment data. Contact data. Content data. Contract data. Usage data. Meta, communication, and procedural data. Log data. Categories of data subjectsService recipients and clients. Prospective clients. Communication partners. Users. Business and contractual partners. Purposes of processingProvision of contractual services and fulfillment of contractual Obligations. Communication. Security measures. Direct marketing. Office and organizational procedures. Organizational and administrative procedures. Feedback. Marketing. Provision of our online services and user-friendliness. IT infrastructure. Sales promotion. Business processes and business management procedures.

Applicable Legal Bases Applicable Legal Bases under the GDPR: Below is an overview of the legal bases under the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your country of residence or our country of residence. If more specific legal bases apply in individual cases, we will inform you of these in the privacy policy. Consent (Art. 6(1)(a) GDPR) - The data subject has given consent to the processing of personal data concerning him or her for a specific purpose or for several specific purposes. • Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the data subject’s request. - Legal obligation (Art. 6(1)(c) GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject. • Legitimate interests (Art. 6(1)(f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that the interests, fundamental rights, and freedoms of the data subject the interests of the person requesting the protection of personal data do not outweigh them. National Data Protection Regulations in Germany: In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany. These include, in particular, the Act on the Protection against the Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG). The BDSG contains, in particular, special provisions regarding the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and the transfer of data, as well as automated decision-making in individual cases, including profiling. Furthermore, state data protection laws of the individual federal states may apply. < h2 id="m27">Security Measures

Transfer of Personal Data As part of our processing of personal data, such data may be transferred to or disclosed to other entities, companies, legally independent organizational units, or individuals. Recipients of this data may include, for example, service providers entrusted with IT tasks or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, enter into appropriate contracts or agreements with the recipients of your data to ensure the protection of your data. Data transfer within the organization: We may transfer personal data to other departments or units within our organization or grant them access to such data. If the data transfer is for administrative purposes, it is based on our legitimate business and operational interests, or it occurs if it is necessary to fulfill our contractual obligations, or if consent from the data subjects or a legal authorization is available.

General Information on Data Storage and Deletion We delete the personal data we process in accordance with legal requirements as soon as the underlying consent is revoked or there is no longer a legal basis for processing. This applies to cases where the original purpose of processing no longer applies or the data is no longer needed. Exceptions to this rule apply if legal obligations or special interests require longer retention or archiving of the data. In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for legal proceedings or to protect the rights of other natural or legal persons, must be archived accordingly. Our privacy policy contains additional information regarding the retention and deletion of data that applies specifically to certain processing operations. If there are multiple specifications regarding the retention period or deletion deadlines for a particular piece of data, the longest period shall always apply. Data that is no longer required for the originally intended purpose but is retained due to legal requirements or If data is retained for other reasons, we process it exclusively for the purposes that justify its retention. Data Retention and Deletion: The following general retention periods apply under German law: 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, as well as the work instructions and other organizational documents necessary for their understanding (Section 147(1)(1) in conjunction with (3) AO, § 14b(1) UStG, § 257(1)(1) in conjunction with (4) HGB). 8 years – accounting documents, such as invoices and expense receipts (Section 147(1)(4) and (4a) in conjunction with (3), first sentence, AO, and Section 257(1)(4) in conjunction with (4) HGB). • 6 years – Other business records: received commercial or business letters, copies of sent commercial or business letters, other documents to the extent they are relevant for taxation, e.g., hourly wage slips, payroll sheets, cost calculation documents, price tags, as well as payroll records, provided they are not already accounting documents, and cash register receipts (Section 147(1)(2), (3), and (5) in conjunction with Section 3 of the German Fiscal Code (AO), Section 257(1)(2) and (3) in conjunction with Section 4 of the German Commercial Code (HGB)). 3 years – data that Data required to address potential warranty and indemnity claims or similar contractual claims and rights, as well as to process related inquiries, based on past business experience and standard industry practices, will be stored for the duration of the standard statutory limitation period of three years (Sections 195, 199 of the German Civil Code (BGB)). Commencement of the period at the end of the year: If a period does not expressly commence on a specific date and is at least one year in duration, it automatically begins at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships in which data is stored, the event triggering the period is the date on which the termination or other termination of the legal relationship takes effect.

Rights of Data SubjectsRights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, which arise in particular from Articles 15 through 21 of the GDPR:Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is carried out pursuant to Article 6(1)(e) or (f) of the GDPR; this also applies to profiling based on these provisions. If personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing.Right of withdrawal in the case of Consent: You have the right to withdraw your consent at any time. Right of access: You have the right to request confirmation as to whether your personal data is being processed, as well as access to this data, further information, and a copy of the data in accordance with legal requirements. Right to rectification: In accordance with legal requirements, you have the right to request that data concerning you be completed or that incorrect data concerning you be corrected. • Right to erasure and restriction of processing: In accordance with legal requirements, you have the right to request that data concerning you be erased without delay, or alternatively, in accordance with legal requirements, to request a restriction on the processing of the data. • Right to Data portability: You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, in accordance with legal requirements, or to request that it be transmitted to another controller. Complaints to a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement, if you believe that the processing of your personal data violates the provisions of the GDPR.

Business Services We process the personal data of our contractual and business partners—such as customers, clients, prospective customers, suppliers, and other partners (collectively, “Contractual Partners”)—for the purpose of establishing, executing, and fulfilling contractual relationships and similar legal relationships. This also includes pre-contractual measures taken upon request, as well as communication in connection with the respective contractual relationship. The processing serves, in particular, to fulfill our primary and ancillary contractual obligations. This includes the provision of the agreed services, any obligations to update or provide information, the handling of warranty claims and other service disruptions, the processing of revocations, terminations of continuing obligations, rescissions, refunds, as well as the processing of other contract-related declarations and inquiries. This covers both one-time contracts and ongoing contractual relationships. In particular, the following data is processed: master data such as name, address, and, if applicable, company name; contact data such as email address and phone number; contract and service data such as the subject matter of the contract, contract term, order or transaction number; usage and Service data, payment and billing data, as well as communication content and history. To the extent necessary, we also process data that is disclosed or transmitted to us in connection with the performance of an order. In addition, we process the data to protect our rights and to comply with legal obligations. This includes, in particular, retention obligations under commercial and tax law, documentation obligations, and, where applicable, obligations to provide evidence and accountability. Furthermore, processing is carried out based on our legitimate interests in proper business management, internal administration, risk management, and IT security, as well as in protecting our business operations and our contractual partners from misuse, threats to data, trade secrets, and other legal interests. This may also include the involvement of external service providers such as IT and telecommunications providers, transport and logistics companies, payment service providers, banks, tax and legal advisors, or other vicarious agents, to the extent that this is necessary for the performance of the contract or to fulfill legal obligations. Personal data is disclosed to third parties only to the extent necessary for the performance of a contract, the implementation of pre-contractual measures, the protection of legitimate interests, or the fulfillment of legal obligations. We provide separate information regarding any additional processing, particularly for marketing purposes, within this Privacy Policy. We inform our contractual partners of the specific data required in each individual case during the data collection process, for example through appropriate labeling in online forms or during personal contact. Data is deleted as soon as it is no longer necessary for the aforementioned purposes and there are no conflicting legal retention obligations. Statutory retention periods, particularly under commercial and tax law, may require longer storage. We delete data transmitted in connection with a specific order upon completion of the order and the expiration of any retention periods, provided there are no further legal or contractual obligations to retain the data. The legal basis for the processing is Article 6(1)(b) of the GDPR for the implementation of pre-contractual measures and the fulfillment of the respective contractual relationship, as well as Article 6(1)(c) of the GDPR for the fulfillment of legal obligations. To the extent that the processing is based on legitimate interests, it is carried out pursuant to Article 6(1)(f) of the GDPR. To the extent that processing is based on Article 6(1)(f) of the GDPR, it is carried out to safeguard our legitimate interests in proper and efficient business organization, the internal administration and documentation of business transactions, the enforcement and defense of legal claims, the assurance of IT and data security, the prevention of misuse and fraud, and the economic management and further development of our business operations. These interests consist, in particular, of ensuring secure and legally compliant business operations and safeguarding our ability to act as a business entity.

Types of data processed: Master data (e.g., full name, home address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); Contact data (e.g., postal and email addresses or phone numbers); Contract data (e.g., subject matter of the contract, term, customer category); Usage data (e.g., page views and time spent on site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved). Data subjects: Service recipients and clients; prospective clients. Business and contractual partners. • Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; security measures; communication; office and organizational procedures; organizational and administrative procedures; business processes and business management procedures. • Retention and Deletion: Deletion in accordance with the information provided in the section “General Information on Data Storage and Deletion”.
• Legal Basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legal obligation (Art. 6(1)(c) GDPR). Legitimate interests (Art. 6(1)(f) GDPR). Further information on processing operations, procedures, and services:
  Online store, order forms, e-commerce, and service fulfillment: We process our customers’ data to enable them to select, purchase, or order the chosen products, goods, and related services, as well as to facilitate their payment, provision, delivery, or fulfillment. If necessary for the fulfillment of an order, we engage service providers, in particular postal, freight, and shipping companies, to carry out the delivery or fulfillment for our customers. We use the services of banks and payment service providers to process payment transactions. The The required information is clearly marked as such during the ordering process or a similar transaction and includes the details necessary for delivery, provision of the product, and billing, as well as contact information to facilitate any necessary communication; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Payment Methods Within the scope of contractual and other legal relationships, based on legal obligations, or otherwise on the basis of our legitimate interests, we offer data subjects efficient and secure payment options and, for this purpose, engage banks, credit institutions, and other service providers (collectively, “payment service providers”). In accordance with the state of the art, payment transactions are conducted exclusively via encrypted connections, ensuring that the data entered is protected from unauthorized access during transmission. The data processed by the payment service providers includes personal information, such as name and address; banking information, such as account numbers or credit card numbers; passwords, TANs, and verification codes; as well as details related to the contract, transaction amounts, and recipients. This information is required to process the transactions. However, the data entered is processed and stored solely by the payment service providers. This means that we do not receive any account or credit card-related information, but only information confirming or rejecting the payment. Under certain circumstances, the payment service providers may transmit the data to credit bureaus. The purpose of this transmission is to verify identity and creditworthiness. For this, we refer you to the terms and conditions and privacy policies of the payment service providers. The terms and conditions and privacy policies of the respective payment service providers apply to payment transactions; these are available on the respective websites or within the transaction applications. We also refer you to these for further information and to exercise your rights of withdrawal, access, and other data subject rights.

Types of data processed: Personal information (e.g., full name, home address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contract data (e.g., subject matter of the contract, term, customer category); Usage data (e.g., page views and time spent on site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved); Contact data (e.g., postal and email addresses or phone numbers). Content data (e.g., textual or visual messages and posts, as well as related information, such as details regarding authorship or the time of creation). Data subjects: Service recipients and clients; business and contractual partners; prospective customers. Users (e.g., website visitors, users of online services). - Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; business processes and operational procedures. Feedback (e.g., Collecting feedback via an online form). Retention and deletion: Deletion in accordance with the information provided in the section “General Information on Data Storage and Deletion”.
• Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR). Legitimate interests (Art. 6(1)(f) GDPR). Additional information on processing operations, procedures, and services:
  Amazon Payments: Payment services (technical integration of online payment methods); Service provider: Amazon Payments Europe S.C.A., 38 avenue J.F. Kennedy, L-1855 Luxembourg; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR);

Use of Cookies The term “cookies” refers to functions that store and retrieve information on users' devices. Cookies may also be used for various purposes, such as ensuring the functionality, security, and convenience of online services, as well as for analyzing visitor traffic. We use cookies in accordance with legal regulations. To this end, we obtain users’ consent in advance when necessary. If consent is not required, we rely on our legitimate interests. This applies when the storage and retrieval of information is essential to provide explicitly requested content and functions. This includes, for example, the storage of settings and ensuring the functionality and security of our online service. Consent may be revoked at any time. We provide clear information about the scope of this and which cookies are used. Notes on the legal basis for data protection: Whether we process personal data using cookies depends on consent. If consent has been given, it serves as the legal basis. Without consent, we rely on our legitimate interests, which are explained above in this section and in the context of the respective services and procedures. Information on the legal basis for data protection: Whether we process personal data using cookies depends on consent. If consent has been given, it serves as the legal basis. Without consent, we rely on our legitimate interests, which are explained above in this section and in the context of the respective services and procedures. Retention period: With regard to the retention period, the following types of cookies are distinguished:Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user leaves an online service and closes their device (e.g., browser or mobile application). • Permanent cookies: Permanent cookies remain stored even after the device is closed. For example, the login status can be saved and Preferred content is displayed directly when the user revisits a website. Similarly, user data collected via cookies may be used for audience measurement. Unless we provide users with explicit information regarding the type and storage duration of cookies (e.g., when obtaining consent), they should assume that these cookies are persistent and may be stored for up to two years. General Information on Withdrawal and Objection (Opt-out): Users may withdraw their consent at any time and may also object to the processing in accordance with legal requirements, including through their browser’s privacy settings.

Types of data processed: Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).Data subjects: Users (e.g., website visitors, users of online services).
• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Consent (Art. 6(1)(a) GDPR). Further information on processing operations, procedures, and services:
  Processing of cookie data based on consent: We use a consent- This management solution is used to obtain user consent for the use of cookies or for the processes and providers specified within the consent management solution. This process serves to obtain, log, manage, and revoke consent, particularly regarding the use of cookies and similar technologies that are used to store, read, and process information on users' devices. Within this process, user consent for the use of cookies and the associated processing of information, including the specific processing activities and providers mentioned in the consent management process, is obtained. Users also have the option to manage and revoke their consent. The declarations of consent are stored to avoid repeated requests and to provide proof of consent in accordance with legal requirements. Storage takes place server-side and/or in a cookie (so-called opt-in cookie) or using comparable technologies to assign the consent to a specific user or their device. Unless specific information is available regarding the providers of consent management services, the following general guidelines apply: The storage period for consent is up to two years. A pseudonymous user identifier is created, which is combined with The data stored includes the time of consent, details regarding the scope of consent (e.g., categories of cookies and/or service providers concerned), and information about the browser, system, and device used; Legal basis:

Registration, Login, and User Account

Users can create a user account. During registration, users are informed of the required mandatory information, which is processed for the purpose of providing the user account based on the fulfillment of contractual obligations. The processed data includes, in particular, login information (username, password, and email address).

When using our registration and login functions, as well as the user account, we store the IP address and the time of the respective user action. This storage is based on our legitimate interests as well as those of the users in protection against misuse and other unauthorized use. We do not generally pass this data on to third parties, unless it is necessary for the enforcement of our claims or there is a legal obligation to do so.

Users may be informed by email about processes relevant to their user account, such as technical changes.

• Types of data processed:

Further information on processing procedures and services:

• Data deletion after termination:

• Types of data processed:

Newsletters and Electronic Notifications

We send newsletters, emails, and other electronic notifications (hereinafter "newsletters") only with the consent of the recipients or on the basis of a legal basis. If the content of the newsletter is mentioned during registration, this content is required for the consent of the Users are crucial. To subscribe to our newsletter, providing your email address is usually sufficient. However, to offer you a personalized service, we may ask for your name for a personal greeting in the newsletter or for further information if necessary for the newsletter's purpose. Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them in order to be able to prove previously given consent. The processing of this data is limited to the purpose of defending against potential claims. An individual deletion request is possible at any time, provided that the prior existence of consent is confirmed. In the case of obligations to permanently respect objections, we reserve the right to store the email address solely for this purpose in a blocklist. The registration process is logged based on our legitimate interests for the purpose of documenting its proper execution. Insofar as we commission a service provider to send emails, this is done on the basis of our legitimate interests in an efficient and secure sending system. Content:

Information about us, our services, promotions, and offers.

• Types of data processed:

Changes and updates

We ask you to regularly check the content of our privacy policy. We will update the privacy policy as soon as changes to our data processing activities make this necessary. We will inform you as soon as any changes require your action (e.g., consent) or any other individual notification. If we provide addresses and contact information for companies and organizations in this privacy policy, please note that these addresses may change over time and ask that you verify the information before contacting them.

Definitions

This section provides an overview of the terms used in this privacy policy. Where terms are legally defined, those legal definitions apply. The following explanations are primarily intended to aid understanding.

• Inventory Data: